diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-04-13 11:38:34 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-04-13 17:32:27 +0200 |
| commit | daf8f72b4eba3702a5bdf109c82dc71d1483f1c6 (patch) | |
| tree | 9b8ac152fb2b1a4823643dc4f0e5bae1849dba38 | |
| parent | 6663cfd5747e13dd13f1dcff7e3b2f19e5ea1dfd (diff) | |
| download | systemd-daf8f72b4eba3702a5bdf109c82dc71d1483f1c6.tar.gz | |
core: make sure ProtectHostname= is handled gracefully in containers lacking seccomp
Fixes: #15408
| -rw-r--r-- | src/core/execute.c | 60 |
1 files changed, 40 insertions, 20 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index c59acad4ce..439b4a4ab4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1577,7 +1577,7 @@ static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) { return seccomp_protect_syslog(); } -static int apply_protect_clock(const Unit *u, const ExecContext *c) { +static int apply_protect_clock(const Unit *u, const ExecContext *c) { assert(u); assert(c); @@ -1646,6 +1646,41 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) { #endif +static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) { + int r; + + assert(u); + assert(c); + + if (!c->protect_hostname) + return 0; + + if (ns_type_supported(NAMESPACE_UTS)) { + if (unshare(CLONE_NEWUTS) < 0) { + if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) { + *ret_exit_status = EXIT_NAMESPACE; + return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m"); + } + + log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup."); + } + } else + log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup."); + +#if HAVE_SECCOMP + if (skip_seccomp_unavailable(u, "ProtectHostname=")) + return 0; + + r = seccomp_protect_hostname(); + if (r < 0) { + *ret_exit_status = EXIT_SECCOMP; + return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m"); + } +#endif + + return 0; +} + static void do_idle_pipe_dance(int idle_pipe[static 4]) { assert(idle_pipe); @@ -3596,25 +3631,10 @@ static int exec_child( } } - if (context->protect_hostname) { - if (ns_type_supported(NAMESPACE_UTS)) { - if (unshare(CLONE_NEWUTS) < 0) { - if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) { - *exit_status = EXIT_NAMESPACE; - return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m"); - } - - log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup."); - } - } else - log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup."); -#if HAVE_SECCOMP - r = seccomp_protect_hostname(); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - return log_unit_error_errno(unit, r, "Failed to apply hostname restrictions: %m"); - } -#endif + if (needs_sandboxing) { + r = apply_protect_hostname(unit, context, exit_status); + if (r < 0) + return r; } /* Drop groups as early as possible. |